Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:25
Behavioral task
behavioral1
Sample
JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe
-
Size
1.3MB
-
MD5
85bfeb89da4faf43dbf03e1bfc1e65ee
-
SHA1
613fa3f36a79e9eb2f58e14296d807641d4ea19c
-
SHA256
4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2
-
SHA512
3e379299ff10d496208a3b445f1ecf87bf76e795ee386aac95486856d27bb443d02a00fcbe1e1206d18e717e7b275971305057dd59c414d67e7b152d3b06452d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2540 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d47-9.dat dcrat behavioral1/memory/2804-13-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2696-129-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat behavioral1/memory/2996-188-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/1728-307-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2876-367-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/2612-427-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/1300-487-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/1728-547-0x00000000012B0000-0x00000000013C0000-memory.dmp dcrat behavioral1/memory/2756-607-0x0000000001300000-0x0000000001410000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1000 powershell.exe 236 powershell.exe 996 powershell.exe 1676 powershell.exe 992 powershell.exe 756 powershell.exe 2400 powershell.exe 2268 powershell.exe 1672 powershell.exe 760 powershell.exe 1248 powershell.exe 2396 powershell.exe 2296 powershell.exe 2388 powershell.exe 1212 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2804 DllCommonsvc.exe 2696 spoolsv.exe 2996 spoolsv.exe 2936 spoolsv.exe 1728 spoolsv.exe 2876 spoolsv.exe 2612 spoolsv.exe 1300 spoolsv.exe 1728 spoolsv.exe 2756 spoolsv.exe 2628 spoolsv.exe 2896 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 cmd.exe 2228 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 37 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Help\wininit.exe DllCommonsvc.exe File created C:\Windows\Help\56085415360792 DllCommonsvc.exe File created C:\Windows\LiveKernelReports\lsm.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\101b941d020240 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2984 schtasks.exe 2244 schtasks.exe 2160 schtasks.exe 2364 schtasks.exe 3024 schtasks.exe 940 schtasks.exe 1916 schtasks.exe 2080 schtasks.exe 1404 schtasks.exe 2772 schtasks.exe 1568 schtasks.exe 2416 schtasks.exe 1016 schtasks.exe 1072 schtasks.exe 2892 schtasks.exe 2932 schtasks.exe 2348 schtasks.exe 2360 schtasks.exe 2040 schtasks.exe 3004 schtasks.exe 1972 schtasks.exe 1168 schtasks.exe 1176 schtasks.exe 2704 schtasks.exe 808 schtasks.exe 2492 schtasks.exe 1412 schtasks.exe 264 schtasks.exe 2952 schtasks.exe 896 schtasks.exe 1612 schtasks.exe 2032 schtasks.exe 2512 schtasks.exe 2180 schtasks.exe 2968 schtasks.exe 3028 schtasks.exe 2472 schtasks.exe 2280 schtasks.exe 1004 schtasks.exe 2324 schtasks.exe 392 schtasks.exe 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2804 DllCommonsvc.exe 756 powershell.exe 2296 powershell.exe 992 powershell.exe 1672 powershell.exe 996 powershell.exe 1676 powershell.exe 2388 powershell.exe 2396 powershell.exe 760 powershell.exe 1248 powershell.exe 1000 powershell.exe 2268 powershell.exe 2400 powershell.exe 1212 powershell.exe 236 powershell.exe 2696 spoolsv.exe 2996 spoolsv.exe 2936 spoolsv.exe 1728 spoolsv.exe 2876 spoolsv.exe 2612 spoolsv.exe 1300 spoolsv.exe 1728 spoolsv.exe 2756 spoolsv.exe 2628 spoolsv.exe 2896 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2804 DllCommonsvc.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 2696 spoolsv.exe Token: SeDebugPrivilege 2996 spoolsv.exe Token: SeDebugPrivilege 2936 spoolsv.exe Token: SeDebugPrivilege 1728 spoolsv.exe Token: SeDebugPrivilege 2876 spoolsv.exe Token: SeDebugPrivilege 2612 spoolsv.exe Token: SeDebugPrivilege 1300 spoolsv.exe Token: SeDebugPrivilege 1728 spoolsv.exe Token: SeDebugPrivilege 2756 spoolsv.exe Token: SeDebugPrivilege 2628 spoolsv.exe Token: SeDebugPrivilege 2896 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2808 2856 JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe 30 PID 2856 wrote to memory of 2808 2856 JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe 30 PID 2856 wrote to memory of 2808 2856 JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe 30 PID 2856 wrote to memory of 2808 2856 JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe 30 PID 2808 wrote to memory of 2228 2808 WScript.exe 31 PID 2808 wrote to memory of 2228 2808 WScript.exe 31 PID 2808 wrote to memory of 2228 2808 WScript.exe 31 PID 2808 wrote to memory of 2228 2808 WScript.exe 31 PID 2228 wrote to memory of 2804 2228 cmd.exe 33 PID 2228 wrote to memory of 2804 2228 cmd.exe 33 PID 2228 wrote to memory of 2804 2228 cmd.exe 33 PID 2228 wrote to memory of 2804 2228 cmd.exe 33 PID 2804 wrote to memory of 1672 2804 DllCommonsvc.exe 77 PID 2804 wrote to memory of 1672 2804 DllCommonsvc.exe 77 PID 2804 wrote to memory of 1672 2804 DllCommonsvc.exe 77 PID 2804 wrote to memory of 1212 2804 DllCommonsvc.exe 78 PID 2804 wrote to memory of 1212 2804 DllCommonsvc.exe 78 PID 2804 wrote to memory of 1212 2804 DllCommonsvc.exe 78 PID 2804 wrote to memory of 760 2804 DllCommonsvc.exe 79 PID 2804 wrote to memory of 760 2804 DllCommonsvc.exe 79 PID 2804 wrote to memory of 760 2804 DllCommonsvc.exe 79 PID 2804 wrote to memory of 992 2804 DllCommonsvc.exe 80 PID 2804 wrote to memory of 992 2804 DllCommonsvc.exe 80 PID 2804 wrote to memory of 992 2804 DllCommonsvc.exe 80 PID 2804 wrote to memory of 756 2804 DllCommonsvc.exe 81 PID 2804 wrote to memory of 756 2804 DllCommonsvc.exe 81 PID 2804 wrote to memory of 756 2804 DllCommonsvc.exe 81 PID 2804 wrote to memory of 996 2804 DllCommonsvc.exe 82 PID 2804 wrote to memory of 996 2804 DllCommonsvc.exe 82 PID 2804 wrote to memory of 996 2804 DllCommonsvc.exe 82 PID 2804 wrote to memory of 1248 2804 DllCommonsvc.exe 83 PID 2804 wrote to memory of 1248 2804 DllCommonsvc.exe 83 PID 2804 wrote to memory of 1248 2804 DllCommonsvc.exe 83 PID 2804 wrote to memory of 2396 2804 DllCommonsvc.exe 84 PID 2804 wrote to memory of 2396 2804 DllCommonsvc.exe 84 PID 2804 wrote to memory of 2396 2804 DllCommonsvc.exe 84 PID 2804 wrote to memory of 2296 2804 DllCommonsvc.exe 85 PID 2804 wrote to memory of 2296 2804 DllCommonsvc.exe 85 PID 2804 wrote to memory of 2296 2804 DllCommonsvc.exe 85 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 86 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 86 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 86 PID 2804 wrote to memory of 1676 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 1676 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 1676 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 1000 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 1000 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 1000 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 2388 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 2388 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 2388 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 236 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 236 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 236 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 2268 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 2268 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 2268 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 2668 2804 DllCommonsvc.exe 107 PID 2804 wrote to memory of 2668 2804 DllCommonsvc.exe 107 PID 2804 wrote to memory of 2668 2804 DllCommonsvc.exe 107 PID 2668 wrote to memory of 2340 2668 cmd.exe 109 PID 2668 wrote to memory of 2340 2668 cmd.exe 109 PID 2668 wrote to memory of 2340 2668 cmd.exe 109 PID 2668 wrote to memory of 2696 2668 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UOph32PSWo.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2340
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"7⤵PID:2980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:840
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"9⤵PID:944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2620
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"11⤵PID:1828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:912
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"13⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2824
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"15⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:956
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"17⤵PID:1676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:960
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"19⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2668
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"21⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:880
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"23⤵PID:1840
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1412
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"25⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2872
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Help\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51773cc5d54586da7d2886461d11b28e4
SHA198f527d2dda398c15f73bdf80e1c513346d02dff
SHA25694b5efa76e05aeecff0123b182ec7e30a4df4d94218f1eff18cdfb80fa57fe8a
SHA5128b9a88026551a2aa9c6cb77fedc26c7e6ccccea10aa2808fc434437a4381e0a010613f26a4ddf888e045b5c991a768a550111480ffbe30dc493433ed1f35fa99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e75a0a883674253ee6bae83d3dae268
SHA15fe90f5b1506771771bc8073434da50dc538b741
SHA256e0793aab59e8007c277992d66c86a6c43d4e25273d2e8ac8a9cb45277a475877
SHA5122194488836d22fa7b4e21158eb90331ccdffcc6f32cbcc29485de19f95b6eac4aeaf3b669f13c933c72c667d59e32456942bebe47d9ceb08b972e0a43560d8d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525ada3b95a383df041681278cd8c8375
SHA1034c9744b622488821e89b1aba2cae28ca8bb87b
SHA25644379f96ec8b49acb1e3be94f987e7ee902105713c2c5a533bb003c6ab177664
SHA512bb5dee1572ebbb9396ce3f401b466b9d5c9752c9f9b8d64ef8c3dd1e0b3e2263a2b96aedc7107779a34e540ebd823f4f91019708a9f2e4989e41b4d35339a908
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56229534acae9ff959fb83bbc48c8c293
SHA1a75f7a20a80ae128716aeed19fe8948203fce584
SHA256c793969f7253c2df0b69d77fbff979ed35c8cefce469878f8b0d1a37df1553fe
SHA5121d94953e5325b23e3dd35ca87b7b1adfaf9e6bcf7c68835f4aeecb4bc60e4baaa2a0dfd3d6d898de3422b6bf13c514cc2453b767bb442cf8f276f79894175a3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ea542ce880f9c4652188117ccc1349d
SHA1853a7ffd3e112d1d903a6334e8371110e7feef9c
SHA25651c2b9ba11c59eb63818fb59bfc7cdac10d00991200dd6804655d4cc19483ddd
SHA512378000003ee6ca7d521165d098eb484930999d7056c80877543ca35316eae6c5fa9c6d2edb885748dcb2f665e3ee0b3d2cb89ed8c0207fa49e7e77ac8303f813
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5758690fe71e6d5f13746492f405b8db2
SHA1e40e2688a255628671632a633f81e1d2e358a844
SHA256aa059934e463ddf65a35f5800d8bb3af084146c77d875c7b388af37fd22fd314
SHA5124b8e4dc490a5c3a4fa853b5cc96e16ef2724a66e61b0b18f2d31c74de518563e3ceb5e1715deb9953e3d09b0fb629ea057c74696873677bb3809246510023271
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53af6d5e58a4b05bc98210c7312d49eb8
SHA1f2ae69e9648b6e270f8801c4e450770a13357e27
SHA2560c3c2852f12c9efeb6c0e1ee4f879b60cfc66f26cc093b477900ce630d0be5b4
SHA512d2e4b1ca44417dd5296c3bd188acea8cf07a77d21d4a6e1e8d6951846a0cdd844d95b487df063fdf5151234e777f198862436fe5f7c221eda3bce9b5e11cac3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aa86db3309630594081e41eaef1b6ead
SHA14a38e2b2195dbb5a3700a2d7c7b4d626773d3440
SHA25650591947124d5c543527168b0a4b9c67c312ff8118b88498e48379f41b1ca470
SHA51241b7d58737a3dfc90d1ea56f43d6520f9ff7f0e15595680f368b72b9e856aa151053085c0093c766417c8865e99f726d40fa889ea9edd17f86b37b61a84a66e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a5275be2c644b9c20646120bc107bf4
SHA105223794f0409c2101e4ff76d341d018431efb0a
SHA2564b6bbbb03986ffeb8e59fffbc64eb7478313ed9fa316fb9cb88c5b99447b7578
SHA5123389b8236f8268e942760c9bd4ee0ad05c2e9631e03438d1df6538e11649effd66e650faa8f425b68f44b4a85ce770195854ec84b2587d81dda240c08ba0627a
-
Filesize
225B
MD58ddcd59d027c520eb7f44a873bb2167c
SHA130082de5c83f71af3975b42f2b6e12d51a8deae1
SHA256b6c422682a2b33f3f99485c0db60cd07206ffdd657676467c68bc4a9142c0a29
SHA51214803c3e083d93e1cf697b83ace2fcb4886a7222941bd64b2e3aa15c1721c5afefe89fb5f023a1f90e6cf36e850e852e2ca525daf859a27d61f81fab0ec717dc
-
Filesize
225B
MD5934de37a707d8dfbab8555823a8451d5
SHA13b66572ea0ae01ded5e106d588e749cab69a4dcd
SHA2565b9e99099e4cafda6d1f727a67cb928d64dcec61ca8883754c963e2e71ca3694
SHA512a4afaa692aa0f85ab8912a9ddd5a5c5dac8f53e4618d0738b9f81f5c34b9ecd6e2a35b9e041d10266cbf5c05ffcbcf07a405604a8151391c781e0a839cb90b36
-
Filesize
225B
MD598dfa4ac5619c84ce66172ae63f3a4cb
SHA15e41761a7b3418f8f4f1845d1897a8977183e421
SHA2566123a83ac659337c959e2b715120c46c8b89f83fea4f3ec32fcc560c15f3672a
SHA5127f6d8ac42ed3dd5a1e78212159dcf26f1d8ddef753d7fa4a0a9e31c0c31a6d8146d8832dbe361f3693fa0c8a5aec82bca401e25edc04859b3f5d1a2f13dae74f
-
Filesize
225B
MD5629a81f8ae75cd6895497d46a1f1d4fa
SHA1766c91ce77ef116f5e5710af65668e635a9135b8
SHA2561b725d421c72f4cd805154296862ab56963c41ba9dd9e2183dfd11a4e0782c15
SHA5122b48986a39aa5c9d09cbdc2e94ac2a3f9bbdd5fe99dbbfd4d30e1f560e66474c4a224429c0f4da86009416afb148700cc1f14bd6f90a7a01ba375cd70932f1e4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5819c0348ef991d23837517eccfb140ae
SHA1dcefed9c6a569af99bb665ca2bbdce47fd2e9cf4
SHA2566801e3dd096c820ec47ff16d196850f62b889eab02d6de6ec0748c849f329fe2
SHA512f73b6d0a56b63b6af3bc2fd74a4f1483c1e9f12ece93e300665814e6e26076eb84db326a006812b34292d19bfcc46668ea3f840575f20c59b5f9bb279a49bb2e
-
Filesize
225B
MD5a04083c2f45962e8354bf6693b837efe
SHA1126fe72fe575969d1b561d861bdead00057d015a
SHA2560ad366c7e8ce71d8ce2a7a1f49324f0e61e6ace57519a93b8f061eec8d663d80
SHA5123b074067478861e42f1373e129674a4167986fd10dbcbe761244481107b703afdb3813b628ab1df2b400bdc3dde8801b0e28c9bdd49acd1df29bff05d1d3de4d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5bd6548b760195415e874067664e046a6
SHA127cff685ba4a527aa973674bc105d3b683ae3f75
SHA2566ad8b447df902a84aff54f2ee59f4949cc108de9e3dba6bb95fe9a4b10304725
SHA512688f77c81f9abab8306e6a0fb85d7864e0c55a3db8db04a44ccac2656287d29c1bbdb1f643d843a724424c88a4d715cd6e12eb1473d5132c43772107c034b4c3
-
Filesize
225B
MD54e55d4176a96bc1ccf4e13a71021d182
SHA195ef4799c821000e8f75f241b67068c52379716b
SHA2566917d683e362dee4682de1f77b44e040e3528325e49b08fa819d8cf3d5d010be
SHA51287c1adc69655e2d362ea178ed62b1a335b8daf934cbffc60e3d4d990a4c55e43cd32e40e57ef9f065489e4e78ad2486d7c860196e0e3a83ae15501093ceab40e
-
Filesize
225B
MD5c4bf37fa229eb8912f8df61e6fe32bc6
SHA1ed7b5e29166d38150251e5337fa050fa9883a4dd
SHA2569d342bd8c5d74d1245a39f3d099eaffc665e92f9d217aafbebd7d12208baf973
SHA512a6c270083e357afd6e937eca217a901fb6f14016b5cb7d0d6cd23952515728b2165f13310ace3e606526a0e3f6f851df19298445ff0d1cd16c9e91caf5306745
-
Filesize
225B
MD5f3cafe12f00b51efeafd3dd29e090ba9
SHA1cea8ae8b3e8c15e9261e6662a34277cb7f5b34ba
SHA256be5b9ce8ee83cea393fbe1555990361d45c37d0e7ddec2b06fda2a5d936399ca
SHA5123c3e7e24d7630e4eb6483bf42c14532c0ab424b63efb0654ec868ec6371e25b6b064ca38b7f3368d704407ea1ffab34ddad859b8fdb6940dd01a9e9f53ab9a76
-
Filesize
225B
MD57fa15b3da8a2611627734b6442a89fd8
SHA10d37e8f3ec8267ec95e9acbecb91984f493d43ed
SHA25654fbc67fd1eb6df4b0ce412c211f99c2aca52a13f8ed50dd955b581aa2cb99d3
SHA512fb7ab19f6c609754e294996695a7388e837ff1bc015ca20d3f6f5966cdb5b5143b5ad1c0af17c8cdd0c0531bbbdcee2bbce19f5c7a7d53c5155c6b84af75f529
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GYN3UG5P3S1RQYOGNMGV.temp
Filesize7KB
MD531710eddb48b0a354640a3e8c181eb34
SHA1db5606ce64edc0fa810797cda5880f9ea312c01a
SHA25696913f8e58d70869a11c7657253bf67fa9b79142b9ebb0434e82490b5c278cba
SHA51257a931e67efa9987f0231de19503ac96e6ad68abbc5d71f2d60ad0ae7ac6bbebe24f83c28d9de8172f2410e0f0a0647b365332d863206f97c9f55fa52b0ddc99
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394